Flaws In John Deere's Website Provides a Map To Customers, Equipment (securityledger.com) 31
chicksdaddy shares a report from The Security Ledger: Websites for customers of agricultural equipment maker John Deere contained vulnerabilities that could have allowed a remote attacker to harvest sensitive information on the company's customers including their names, physical addresses and information on the Deere equipment they own and operate, The Security Ledger reported. The researcher known as "Sick Codes" published two advisories on Thursday warning about the flaws in the myjohndeere.com website and the John Deere Operations Center website and mobile applications. In a conversation with Security Ledger, the researcher said that a he was able to use VINs (vehicle identification numbers) taken from a farm equipment auction site to identify the name and physical address of the owner. Furthermore, a flaw in the myjohndeere.com website could allow an unauthenticated user to carry out automated attacks against the site, possibly revealing all the user accounts for that site.
Sick Codes disclosed both flaws to John Deere and also to the U.S. Government's Cybersecurity and Infrastructure Security Agency (CISA), which monitors food and agriculture as a critical infrastructure sector. The information obtained from the John Deere websites, including customer names and addresses, could put the company afoul of data security laws like California's CCPA or the Personal Information Protection Act in Deere's home state of Illinois. However, the national security consequences of the company's leaky website could be far greater. Details on what model combines and other equipment is in use on what farm could be of very high value to an attacker, including nation-states interested in disrupting U.S. agricultural production at key junctures, such as during planting or harvest time.
The consolidated nature of U.S. farming means that an attacker with knowledge of specific, Internet connected machinery in use by a small number of large-scale farming operations in the midwestern United States could launch targeted attacks on that equipment that could disrupt the entire U.S. food supply chain, researchers warn. The Agriculture sector and firms that supply it, like Deere, lag other industries in cyber security preparedness and resilience. A 2019 report (PDF) released by Department of Homeland Security concluded that the "adoption of advanced precision agriculture technology and farm information management systems in the crop and livestock sectors is introducing new vulnerabilities" (and that) "potential threats to precision agriculture were often not fully understood or were not being treated seriously enough by the front-line agriculture producers."
Sick Codes disclosed both flaws to John Deere and also to the U.S. Government's Cybersecurity and Infrastructure Security Agency (CISA), which monitors food and agriculture as a critical infrastructure sector. The information obtained from the John Deere websites, including customer names and addresses, could put the company afoul of data security laws like California's CCPA or the Personal Information Protection Act in Deere's home state of Illinois. However, the national security consequences of the company's leaky website could be far greater. Details on what model combines and other equipment is in use on what farm could be of very high value to an attacker, including nation-states interested in disrupting U.S. agricultural production at key junctures, such as during planting or harvest time.
The consolidated nature of U.S. farming means that an attacker with knowledge of specific, Internet connected machinery in use by a small number of large-scale farming operations in the midwestern United States could launch targeted attacks on that equipment that could disrupt the entire U.S. food supply chain, researchers warn. The Agriculture sector and firms that supply it, like Deere, lag other industries in cyber security preparedness and resilience. A 2019 report (PDF) released by Department of Homeland Security concluded that the "adoption of advanced precision agriculture technology and farm information management systems in the crop and livestock sectors is introducing new vulnerabilities" (and that) "potential threats to precision agriculture were often not fully understood or were not being treated seriously enough by the front-line agriculture producers."
HEY, EDITORS! (Score:1)
Flaws In John Deere's Website Provides a Map To Customers, Equipment
Provides?
Re: (Score:2)
Provides?
Provides.
Re: (Score:1)
In all fairness... (Score:2)
... 17 is still about 3 years older than the median mental age of posters. That might have been a better choice than you think.
time to send them an dear john! (Score:2)
time to send them an dear john!
JD (Score:5, Insightful)
JD the company where every tractor repair needs a laptop hooked up to the tractor. Right to repair cannot come fast enough.
Re: (Score:1)
They aren't overgrown lawn tractors. They're essentially giant, autonomous agriculture robots.
Potentially very dangerous and nothing to trifle with. It's not the 70's anymore.
Re: (Score:3)
Umm no. Not even close to autonomous robots, sorry. They are still just big machines that pull heavy loads. They break down and need repairs that an average repairman can do if he had the codes to identify the problem. We do all our own maintenance and repairs ourselves whenever possible. Yes we're talking 500 hp heavy tractors. Having access to diagnostic codes to know what sensor has failed and the ability to reset codes in no way inhibits the safety of anyone. To say farmers shouldn't be able to work
Re: (Score:2)
Exactly. My brother still operates the 1960's era JD 4020 that our father bought.
It does the job and is easy to fix when necessary.
Re: (Score:3)
I didn't mean to be condescending, but I was and I apologize. Ag doesn't get the respect it deserves, and again, I'm sorry.
I was poorly attempting to make a point that the control systems in the Deere offerings are complex beyond shade tree wrenching of the software controlled components.
I worked at Deere in the guidance group and wrote some of the software running on the current tractors.
After reading a moderate amount the code and learning about the complexities of the issues they deal with, I'm in awe of
Re: (Score:2)
Have you seen the open source AgOpenGPS project? I think you'd find it quite interesting. In some ways it is primitive, and in other ways it's far more advanced than anything in my current tractors. In fact this year more than before I'm beyond frustrated with the primitive path planning of my Trimble NavII systems. As far as my John Deere machines go, oddly enough I find the old brown box monitor works way better than my newer 2630 when it comes to re-acquiring the line smoothly after a turn.
Re: JD (Score:2)
Let the invisible hand of the free market bring us open source tractors and hookers.
Re: (Score:1)
Re: (Score:2)
Not true. I own a John Deere tractor and live on an old farm.
There's plenty you can repair or customize on your deere tractor. As somebody else pointed out, some of their advanced machines are more like robots that plant and harvest for you. They're really cool, but it should come as no surprise that a computer controlled robot needs more sophisticated ways of maintaining than a tractor when you run a new hydraulic line or change the oil...
or you could (Score:1)
Or you could just drive out to farm country and see where they have big expensive tractors and farm implements.
Or you could go to a John Deere dealer and see all of their big expensive tractors. So what?
What's the data gain anyone? Someone going to steal a 30/Mph/max giant tractor and sell it down the road?
Find out where Bob Evans garages his Gleaner? These things are locked down more than an iPhone.
Farm implements have unique identifiers that they transmit over the CAN bus when they're attached.
That's esse
Re: (Score:2)
Nobody's gaining anything with this "hack".
Not much of an imagination, have you?
I thought of half a dozen ways this information would be useful before finishing TFS. And that doesn't count the ones actually listed in TFS.
Stick to jobs that don't require any original thought, kid. You're clearly not suited for the ones that do.
Re: (Score:2)
I can imagine quite a bit, but I'm not oriented towards destructive anarchy.
Re: (Score:2)
I can imagine quite a bit, but I'm not oriented towards destructive anarchy.
Fair enough, and sorry for the unnecessary level of snark. But there's a far cry from, "I can't see how this would be useful" to 'Nobody's gaining anything with this "hack"'.
The former may be true, but the latter is definitely not. For those of us who work in security, we have to be able to figure out how someone who is oriented toward destructive anarchy would exploit things like this.
A lot of damage could be done by someone nefarious with this information.
Useless map (Score:2)
I want a map to a lost ancient treasure of the Inca civilization.
someone is craving attention (Score:3, Insightful)
Re: (Score:1)
No.
They also reported that the VIN alone will return a wealth of information about the owner. Including address and contact information.
VINs can be harvested from auctions and sales sites. They can also be guessed or enumerated fairly easily.
This is very, very stupid. The username disclosure vulnerability is fairly minor.
Sick codes' hacker cred just doubled in my book (Score:2)